On 6 October 2015, EU-US Safe Harbour framework – the self-certification program for US firms according to the EU’s Data Protection Directive – was declared void by the ECJ. Is this a true ‘bombshell’ ruling emerging from the EU’s highest court? As we commented, the precise implications of the ruling are still more than unclear. Just a week later, a German state data protection agency released a set of recommendations for public institutions and businesses on data transfers to the US. The German authority have gone beyond the ECJ ruling in its recommendations: The few alternatives to Safe Harbour to transfer data – namely explicit consent of data subjects and model contract clauses (MCCs) – are declared invalid as well. In short, no data should flow between Germany and the US. The German recommendation is the first step by the EU on its path towards de facto forced data localisation requirements.
In its press release published on 14 October 2015, the ‘Independent Data Protection Agency’ (ULD) of the county of Schleswig-Holstein, one of Germany’s state-level data protection agencies, lays out the practical implications of the ECJ’s ruling on Safe Harbour. ULD emphasizes prime concern of ECJ ruling – the US government’s mass and indiscriminate surveillance practices. Moreover, it refers to the Council of German Data Protection Commissioners, which argues the US do not offer appropriate data protection standards based on what they know from Snowden revelations on electronic mass surveillance under PRISM. However, ULD seems to be less concerned about the pervasive surveillance by Germany’s own security agencies or by EU member states on its own people; or that personal data flows illegally to Russia or China.
ULD goes to conclude that the US does not have a national legislation that is appropriate to provide an adequate level of protection of citizens’ personal data. Therefore, the US cannot make any appropriate international commitments that secure the right of privacy and the proper treatment of European personal data. It also implies the EU Commission’s hands are tied, at least in the short term: The European Commission cannot adequate protection until US lawmakers have re-examined and re-regulated their own privacy rules. This includes the availability of redress rights for all EU citizens when data is accessed by US intelligence services. According to ULD, the practical implications of this dead end must be the following:
- Not even transfer under ‘explicit consent’ rules are legitimate. Under this rule, companies are required to inform about the lack of protection of personal data in the US, the lack of notification, the lack of redress rights, as well as the necessity and purpose of the transfer of personal data to third parties. General privacy statements are considered inadequate, as there must be a more explicit consent on the concrete purpose of the transfer. In practical terms, the state has deprived the citizen right to consent, and there is no longer consumer choice.
- In regards to model contract clauses (MCC), the ULD argues that a strict application of the ECJ ruling suspends all standard contractual agreements on the transfer of personal data to the US.
- Accordingly, all businesses must terminate these contracts and halt the data transfer to the US with a sanction up to 300,000 euro if they continue “without a valid legal basis”.
This follow our analysis that the ECJ ruled on internal EU competences and fundamental rights that applies generally, rather than just a specific instrument, such as the Safe Harbor program. ULD recommendations are the first steps towards the “worst case scenario” we envisaged, where national data privacy authorities (or even sub-central ones) could revert competences by questioning EU adequacy decisions, by leveraging on the ECJ ruling.
Eventually, when the storm settles, the European Commission has no choice but to clarify the current legal situation. Until then, Member State data privacy authorities are left to interpret the ruling as a justification for data localisation against the US, possibly even towards other EU countries. After all, the opinion that the surveillance by the US is an infringement of right to privacy, but by the other EU countries are not, is just simply absurd. That may apply to domestic data flows too, for that matter.
Even when the European Commission finally speaks up, its interpretation of the ruling will be no more binding than the one of Schleswig-Holstein: It will be word against word. In the end, the threat of a 300,000 euro sanction will prevail and determine how the transatlantic business can (or cannot) be conducted.
What started as a geopolitical gamble around PRISM between Europe and the US has spun out of control into a major commercial problem. The ECJ ruling and the subsequent decisions like the one by Schleswig-Holstein turns forced the commercial problem into a legal cul de sac as the EU cannot possible repeal or revert the facts or the grounds of ECJ ruling. First of all, the surveillance in Europe and the US are unlikely to cease. And similarly, the legal grounds of the ruling (European human rights) are cannot be revoked.
In the long long run, it is possible to see that law enforcement agencies could cooperate through new type of mutual legal assistance that would lessen the need for surveillance. But as for the Safe Harbor, it is hard to see how the European Commission could negotiate a new agreement that would satisfy al the criteria of the ruling, or how the new program would be beyond the reach of newly instated powers under the ECJ ruling.